Date post: | 06-Apr-2017 |
Category: |
Technology |
Upload: | vmworld |
View: | 218 times |
Download: | 0 times |
The Next Horizon for Cloud Networking and SecurityGuido Appenzeller, VMware, Inc
NET6639-S#NET6639
1
CONFIDENTIAL2
This presentation may contain product features that are currently under development.This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.Technical feasibility and market demand will affect final delivery.Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
The Next Horizon for Cloud Networking and Security
Guido Appenzeller
Chief Technology & Strategy OfficerNetworking & SecurityVMware
Great to be here. Exciting session. Live Demos. I hope they work.Before we start, reflect on NSX.3
NSX Customer and Business MomentumOrganizations have invested $1M+ in NSX65+
NSX Customers700+
Production Deployments(adding 25-50 per quarter)100+
NSX has been an incredible success.- 700, 100, 654
Networking is aSoftware Industry
The bigger picture is that there has been a tectonic shift in networking.Today Networking is a SW industry.Capabilities of a network today are defined by software, that is independent of the HW.SW and HW industries are fundamentally different. Blockbuster vs. Netflix. Borders vs. Amazon. IBM Mainframes vs. Microsoft5
Two Tier Infrastructure ModelVM or server workloads and network are separate security domainsPhysical Servers
Physical Network Infrastructure
Internet
Used to be HW server and network.Capabilities of network was defined by HW. Wanted new capabilities, buy new HW.6
Two Tier Infrastructure ModelVM or server workloads and network are separate security domainsVirtual Machines
Physical Network Infrastructure
Internet
Virtual Machines
Physical Network Infrastructure
Internet
Network VirtualizationNSX provides connectivity, security and services across your end points
Virtual Machines
Physical Network Infrastructure
Internet
Virtual InfrastructureApplication DemandsMany different ApplicationsDifferent Compliance & Security NeedsFrequent ChangeHardware ComplexityMultiple VendorsDifferent ArchitecturesMultiple LocationsNSX Network VirtualizationSpeed & AutomationAgilitySecurity & Policy
Capabilities of the network defined in SW.DF as a software update. Doesnt require a new box.NSX provides 3 things:Speed & AutomationAgility different apps & HWSecurity
8
Virtual Machines
Physical Network Infrastructure
Internet
Applications
Physical Network Infrastructure
Internet
Virtual InfrastructureMultiple Hypervisor SupportvSphere/ESXiKVMHardware ComplexityMultiple VendorsDifferent ArchitecturesMultiple LocationsNSX Network VirtualizationAutomationSecurity & PolicyService Insertion
Network VirtualizationNSX provides connectivity, security and services across your end points
Everyone knows NSX is the market leader for vSphere. We are also the market leader for open source hypervisors.9
NSX in Open Source Environments
Organizations Contributingto Open vSwitch60
Of NSX Production Deployments use OpenStack20%
KVM VMs in a single NSX deployment100k+
Foundation OVS. 60 orgs. Including competitors. All agree we need a solid open source foundationOpenstack, 20% of production deploymentsHuge. Talked to customers that have run over 100k VMs with networks powered by NSX.10
Virtual Machines
Physical Network Infrastructure
Internet
Applications
Physical Network Infrastructure
Internet
Virtual Infrastructure
NSX The market leader for Virtual NetworkingFor ESX and Open Source
Where do we go from here?
Today I want to give you a sneak preview of what we are working on.What you are seeing are not todays products.We are not announcing anything, no ship dates, no features of existing products, no new products.But this is where we think we will go next.12
Host
HypervisorContainersContainers are emerging as the application management layer of choice
Appbin/libsOS
Appbin/libsOS
Appbin/libsOS
bin/libsOSApplication ContainersVM Applications
Application ContainersHost
App
App
App
App
App
App
App
App
AppContainersbin/libs
NSX Container Deployments TodayContainers run inside of VMsGroup containers of one application inside a VMContainers often behind NATNo container level networking
Does this make sense? It actually does14This is how Enterprises are using NSX containers VMContainerContainerContainerContainerHypervisorVMContainerContainerContainerContainervSwitch
VM
VM
Container Security15Vulnerable Application
VaultVault
WebsiteWebsiteWebsiteWebsite
InternetDatabase
Port 80
Internalnetwork
Explanation:WebSite App (blue) is internet facingVault App (green) is internal onlyHack WebSite App, then hop to Vault and attach DB.
15
Application Level Vulnerability16Improving the capacity indicator
Containers do we still need a Hypervisor?17Lack of isolation allows an attacker to move around
VaultVault
WebsiteWebsiteWebsiteWebsite
Internet
Database
Port 80
Internalnetwork
Confidential Information
Explanation:WebSite App (blue) is internet facingVault App (green) is internal onlyHack WebSite App, then hop to Vault and attach DB.
17
Containers do we still need a Hypervisor?18Privilege escalation can lead to container host compromise
VaultVault
WebsiteWebsiteWebsiteWebsite
Internet
Database
Port 80
Internalnetwork
Confidential Information
Explanation:WebSite App (blue) is internet facingVault App (green) is internal onlyHack WebSite App, then hop to Vault and attach DB.
18
Containers do we still need a Hypervisor?19NSX provides segmentation, visibility and integration
WebsiteWebsiteWebsiteWebsite
Internet
Port 80
Internalnetwork
Physical Network InfrastructureVaultVaultDatabaseDatacenter
HONEY POT
VULNERABILITYSCANNER
Micro-segmentation
Alert
Connection to data center
Explanation:WebSite App (blue) is internet facingVault App (green) is internal onlyHack WebSite App, then hop to Vault and attach DB.
19
20
Micro-segmentation
Alert
Connection to data center
Why NSX for Containers?21Segment ApplicationsStateful FirewallLimit Attackers Movement
Per-flow trackingAlerts for suspicious behaviorVirtual taps
MonitoringSecurity, Incident Response, Forensics Access to backend systems
Virtual Machines
Physical Network Infrastructure
Internet
Network VirtualizationNSX provides support for third generation applications
ApplicationsPhysical Network Infrastructure
Internet
Virtual InfrastructureApplication DemandsvSphere/ESXiKVMThird Generation ApplicationsHardware ComplexityMultiple VendorsDifferent ArchitecturesMultiple LocationsNSX Network VirtualizationAutomationSecurity & PolicyService Insertion
22
The Public CloudNew Opportunities:On-demand resourcesCapacity in any geographyInstant provisioning
New Challenges:Security & ComplianceConnectivity with on-premisesCloud lock-in
And there is one more thing, called the cloud.23
Power of Cloud: Workload Mobility
APP
APP
APP
Lock-In Through Services
Storage ServiceLoad Balancing ServiceFirewall Service
Storage ServiceLoad Balancing ServiceFirewall Service
Storage ServiceLoad Balancing ServiceFirewall Service
APP
Cloud: Just New Silos?
Storage ServiceLoad Balancing ServiceFirewall Service
APP
Storage ServiceLoad Balancing ServiceFirewall Service
APP
Storage ServiceLoad Balancing ServiceFirewall Service
APP
NSX
BYOI Bring Your Own Infrastructure
Storage ServiceLoad Balancing ServiceFirewall Service
Storage ServiceLoad Balancing ServiceFirewall Service
Storage ServiceLoad Balancing ServiceFirewall Service
APP
APP
APP
APP
APP
APP
Tech-Preview: NSX for Amazon Web Services28Native support for AWS instances with coherent services and security posture for on and off-premise28
28Data Center Web Server HRServer
IT AdministratorDefines network and security policy
Internet
NSX for Amazon Web Services29Native support for AWS instances with coherent services and security posture for on and off-premise29Data Center Web Server HRServer
IT AdministratorDefines network and security policy
Internet
NSX for Amazon Web ServicesOn-Premise NSX/vSphereAWS instances are added to logical switchConsistent security posture on-premise and in cloudAWS instances leverage services
30Native support for AWS instances with coherent services and security posture for on and off-premise30AWS CloudData Center Web Server HRServer
DeveloperLaunches instancesvia Amazon consoleAmazon Web ServicesNative AWS Server instances (AMIs)Added to NSX virtual networks via policy
IT AdministratorDefines network and security policy
Internet
NSX Tomorrow: Virtual Networking for all PlatformsWherever you go, NSX is there to help you.
Physical Network
Virtual Infrastructure
NSX Tomorrow32
SpeedProvision connectivity for any endpoint across different domains.
AgilityAutomate provisioning via templates and rich APIs.
SecurityConsistent security posture and visibility across all types of endpoints.
On-Premise Data Center
3rd Generation Apps
Public Clouds
Virtual Desktop
Mobile Devices
Explain VisionSpeedAgilitySecurityThe future of your IT org will be complicated:On premise vs cloud, 2nd gen vs 3rd gen, IaaS vs PaaS, OSS vs CS, mobile users.If there is one thing I want you to take away from this session, it is that whatever you do, NSX is there for the journey and will help you to be fast, agile and secure.32
Thank you!
33
Thank you!
34
Containers + Public Cloud + NSX
To some of you, this may
SW and HW industries are fundamentally different. Blockbuster vs. Netflix. Borders vs. Amazon. IBM Mainframes vs. Microsoft.35
NSX + Public Cloud + Containers36
SydneyHong KongPalo AltoChicagoDallasVirginiaSeattle500 Web Servers7 data centers3 continents2 public clouds + 1 on premisein 5 minutes
37
On-Premise Data Center3rd Generation AppsPublic CloudsVirtual DesktopMobile Devices
Explain VisionSpeedAgilitySecurityThe future of your IT org will be complicated:On premise vs cloud, 2nd gen vs 3rd gen, IaaS vs PaaS, OSS vs CS, mobile users.If there is one thing I want you to take away from this session, it is that whatever you do, NSX is there for the journey and will help you to be fast, agile and secure.37
38
The Next Horizon for Cloud Networking and SecurityGuido Appenzeller, VMware, Inc
NET6639-S#NET6639
40
Martin_fullGuido AppenzellerGuido Appenzeller's Album201523980.488eng - iTunNORM 00002EA4 00002EA4 0000DC4A 0000DC4A 00000C58 00000C58 00007F1F 00007F1F 00003234 00003234eng - iTunSMPB 00000000 00000210 00000AB7 0000000000101639 00000000 0005CDB7 00000000 00000000 00000000 00000000 00000000 00000000Pat_fullGuido AppenzellerGuido Appenzeller's Album201526618.916eng - iTunNORM 00004A91 00004A91 0000F012 0000F012 00000C58 00000C58 00007E7B 00007E7B 00000153 00000153eng - iTunSMPB 00000000 00000210 000007A2 000000000011DFCE 00000000 0006729D 00000000 00000000 00000000 00000000 00000000 00000000